(internal) installer file limitation

rule:
  meta:
    name: (internal) installer file limitation
    # capa will likely detect installer specific functionality.
    # this is probably not what the user wants.
    namespace: internal/limitation/file
    authors:
      - william.ballenthin@mandiant.com
    description: |
      This sample appears to be an installer.

      capa cannot handle installers well. This means the results may be misleading or incomplete.
      You should try to understand the install mechanism and analyze created files with capa.
    scopes:
      static: file
      dynamic: file
    examples:
      - 70FD3347786ED7A4A43910E6778EF296
  features:
    - or:
      - match: executable/installer